Decision on the Methodology for the Supervision of Payment Systems

Based on Article 2, paragraph 3, point c), Article 7, point b), and Articles 58 and 70 of the Law on the Central Bank of Bosnia and Herzegovina ("Official Gazette of BiH", nos. 1/97, 29/02, 8/03, 13/03, 14/03, 9/05, 76/06, and 32/07) and Articles 6 and 21 of the Decision on the Supervision of the Functioning of Payment Systems, no. UV-122-01-1-1909-9/22 dated 27.10.2022, the Governing Board of the Central Bank of Bosnia and Herzegovina, at its 13th session held on 27.09. and 29.09.2022, and its 14th session held on 27.10.2022, adopts

DECISION ON THE METHODOLOGY FOR THE SUPERVISION OF PAYMENT SYSTEMS

PART ONE – GENERAL PROVISIONS

Article 1. (Subject of the Decision) By this Decision, the Central Bank of Bosnia and Herzegovina (hereinafter: the Central Bank) establishes the criteria for the classification of payment systems and the standards that must be met for the efficient, reliable, and uninterrupted operation of payment systems.

PART TWO – CRITERIA FOR THE CLASSIFICATION OF PAYMENT SYSTEMS

Article 2. (Classification of payment systems) Payment systems are classified as systemically important payment systems, significant payment systems, or other payment systems in accordance with the classification of payment systems established by the Central Bank's regulation on the supervision of the functioning of payment systems.

Article 3. (Criteria for classification) Payment systems are classified based on the following criteria:

• the total value of transactions executed through the payment system during the previous calendar year,
• the total number of transactions executed through the payment system during the previous calendar year, and
• the settlement of payments of other payment systems or securities settlement systems within the given payment system.

Article 4. (Criteria for the classification of a systemically important payment system) A payment system is classified as a systemically important payment system if payments of other payment systems and/or securities settlement systems are settled within it, and if it meets one of the following conditions:

• the total value of transactions executed through the payment system during the previous calendar year amounts to at least 50 billion KM,
• the total number of transactions executed through the payment system during the previous calendar year amounts to at least 10 million.

Article 5. (Criteria for the classification of a significant payment system) A payment system that does not meet the conditions to be classified as a systemically important payment system is classified as a significant payment system if it meets the following conditions:

• the total value of transactions executed through the payment system during the previous calendar year amounts to at least 5 billion KM, and
• the total number of transactions executed through the payment system during the previous calendar year amounts to at least 10 million.

Article 6. (Criteria for the classification of other payment systems) A payment system that does not meet the conditions from Article 5 of this Decision is classified as "other payment systems".

Article 7. (Classification of payment systems of the Central Bank) The real-time gross settlement payment system and the giro clearing system, owned and operated by the Central Bank, are classified as systemically important payment systems.

Article 8. (Adoption of an act on the classification of an individual payment system) (1) The Governing Board will adopt an act on the classification of an individual payment system for all individual payment systems, except for the payment system referred to in Article 7 of this Decision, based on the criteria for the classification of payment systems established in Part Two of this Decision. (2) The Governing Board may adopt an act on the classification of an individual payment system that deviates from the criteria for the classification of payment systems established in Part Two of this Decision only if it deems it necessary for maintaining financial stability.

PART THREE – STANDARDS FOR THE EFFICIENT, RELIABLE, AND UNINTERRUPTED OPERATION OF A CLASSIFIED PAYMENT SYSTEM

Article 9. (Standards for the supervision of payment systems) The Central Bank applies the "Principles for Financial Market Infrastructures" established by the Central Bank's regulation on the supervision of the functioning of payment systems as standards that must be met for the efficient, reliable, and uninterrupted operation of a classified payment system.

Article 10. (Principles and key considerations for the assessment of payment system compliance) The fulfillment of standards for the efficient, reliable, and uninterrupted operation of classified payment systems is determined by assessing the level of compliance of payment systems with the principles and their key considerations in the manner established in Annex 1 of this Decision "Principles and key considerations for the assessment of payment system compliance", in accordance with the Central Bank's regulation on the supervision of the functioning of payment systems.

Article 11. (Application of principles and key considerations) Depending on the classification of the payment system, the appropriate principles and their key considerations are applied for the assessment of payment system compliance in the manner established in Annex 2 of this Decision "Principles and key considerations for assessment according to the classification of the payment system".

PART FOUR – FINAL PROVISIONS

Article 12. (Final provisions) This Decision enters into force on the eighth day from the date of publication on the website of the Central Bank of Bosnia and Herzegovina, and will be applied from 01.01.2023.

Chairman of the Governing Board of the Central Bank of Bosnia and Herzegovina No.: UV-122-01-1-1909-10/22 Sarajevo, 27.10.2022.

GOVERNOR dr. Senad Softić

Annex 1. "Principles and key considerations for the assessment of payment system compliance"

Principle 1. Legal Basis A payment system should have a solid, clear, transparent, and enforceable legal basis for every material aspect of its activities in all relevant jurisdictions.

Key Consideration 1 The legal basis should provide a high degree of certainty for every material aspect of the payment system's activities in all relevant jurisdictions.

Material aspects and relevant jurisdictions P.1.1.1: What are the material aspects of the payment system's activities that require a high degree of legal certainty (e.g., rights and interests in financial instruments; finality of settlement; netting; interoperability; immobilization and dematerialization of securities; delivery versus payment (DvP), payment versus payment (PvP) or delivery versus delivery (DvD) arrangements; collateral arrangements (including margin agreements); and default procedures)? P.1.1.2: What are the relevant jurisdictions for each material aspect of the payment system's activities?

Legal basis for each material aspect P.1.1.3: How does the payment system ensure that its legal basis (i.e., legal framework and rules, procedures, and contracts) provides a high degree of legal certainty for every material aspect of the payment system's activities in all relevant jurisdictions?

• For a payment system that has a netting arrangement, how does the payment system ensure that its legal basis supports the enforceability of that arrangement?
• If finality of settlement occurs in the payment system, how does the payment system ensure that its legal basis supports the finality of transactions, including those of insolvent participants? Does the legal basis for external settlement mechanisms used by the payment system, such as funds transfer systems or securities transfer systems, also support this finality?

Key Consideration 2 A payment system should have rules, procedures, and contracts that are clear, understandable, and consistent with relevant laws and regulations.

P.1.2.1: How does the payment system demonstrate that its rules, procedures, and contracts are clear and understandable? P.1.2.2: How does the payment system ensure that its rules, procedures, and contracts are consistent with relevant laws and regulations (e.g., through legal opinions or analysis)? Have any inconsistencies been identified and resolved? Have the payment system's rules, procedures, and contracts been reviewed or assessed by external authorities or entities? P.1.2.3: Do the payment system's rules, procedures, and contracts require approval before entering into force? If YES, from whom and how?

Key Consideration 3 A payment system should be able to articulate the legal basis for its activities to relevant competent authorities, participants, and, if relevant, participants' clients in a clear and understandable manner.

P.1.3.1: How does the payment system articulate the legal basis for its activities to relevant authorities, participants, and, where relevant, participants' clients?

Key Consideration 4 A payment system should have rules, procedures, and contracts that are enforceable in all relevant jurisdictions. There should be a high degree of certainty that actions taken by the payment system in accordance with those rules and procedures will not be voided, rendered invalid, or subject to stay.

Enforceability of rules, procedures, and contracts P.1.4.1: How does the payment system achieve a high level of confidence that the rules, procedures, and contracts relating to the payment system's operations are enforceable in all relevant jurisdictions identified in Key Consideration 1 (e.g., through legal opinions and analysis)?

Degree of certainty for rules and procedures P.1.4.2: How does the payment system achieve a high degree of certainty that its rules, procedures, and contracts will not be voided, rendered invalid, or subject to stay? Are there circumstances under which the payment system's actions under its rules, procedures, or contracts could be voided, rendered invalid, or subject to stay? If YES, list the circumstances. P.1.4.3: Has a court in any relevant jurisdiction ever deemed the payment system's activities or arrangements under its rules and procedures unenforceable?

Key Consideration 5 A payment system operating in multiple jurisdictions should identify and mitigate risks arising from potential conflicts of law in various jurisdictions.

P.1.5.1: If the payment system operates in multiple jurisdictions, how does the payment system identify and analyze any potential conflict of law issues? When there is uncertainty regarding the enforceability of law in relevant jurisdictions, has the payment system obtained an independent legal analysis of potential conflict of law issues? What potential conflict of law issues has the payment system identified and analyzed? How does the payment system resolve potential conflict of law issues?

Principle 2. Governance A payment system should have governance arrangements that are clear and transparent, and promote the safety and efficiency of the payment system and support the stability of the broader financial system, other relevant public interest considerations, and the objectives of relevant stakeholders.

Key Consideration 1 A payment system should have objectives that prioritize the safety and efficiency of the payment system and explicitly support financial stability and other relevant public interest considerations.

P.2.1.1: What are the objectives of the payment system and are they clearly identified? How does the payment system assess its performance in achieving its objectives? P.2.1.2: Do the payment system's objectives place a high priority on safety and efficiency? How do the payment system's objectives explicitly support financial stability and other relevant public interest considerations?

Key Consideration 2 A payment system should have documented governance arrangements that provide clear and direct lines of accountability and reporting. These arrangements should be published to owners, relevant authorities, participants, and, at a general level, the public.

Governance arrangements P.2.2.1: What are the governance arrangements under which the board of directors (or equivalent) and management of the payment system operate? What are the lines of accountability and reporting within the payment system? How and where are these arrangements documented? P.2.2.2: For systems managed by the central bank, how do governance arrangements address any identified or potential conflicts of interest? To what extent do governance arrangements allow for the separation of the operator and the supervisory function? P.2.2.3: How does the payment system report to owners, participants, and other relevant stakeholders?

Publication of governance arrangements P.2.2.4: How are the governance arrangements published to owners, relevant authorities, participants, and, at a general level, the public?

Key Consideration 3 The roles and responsibilities of the payment system's board of directors (or equivalent) should be clearly specified, and there should be documented procedures for functioning, including procedures for identifying, resolving, and managing conflicts of interest of members. The board should review the overall performance and the performance of individual board members regularly.

Roles and responsibilities of the board P.2.3.1: What are the roles and responsibilities of the payment system's board of directors (or equivalent), and are they clearly defined? P.2.3.2: What are the board's procedures for its functioning, including procedures for identifying, resolving, and managing conflicts of interest of members? How are these procedures documented and to whom are they published? How often are they revised? P.2.3.3: Describe the committees established to facilitate the functioning of the board of directors. What are the roles, responsibilities, and composition of those committees?

Performance review P.2.3.4: What procedures are established to review the work of the board of directors as a whole, and the work of each board member individually?

Key Consideration 4 The board should include appropriate members with the appropriate skills and motivation necessary to perform multiple roles. This usually means including non-executive board members.

P.2.4.1: To what extent does the payment system's board of directors have the appropriate skills and motivation necessary to perform its multiple roles? How does the payment system ensure that this is the case? P.2.4.2: What incentives does the payment system provide to board members to attract and retain board members with appropriate skills? How do these incentives reflect the long-term achievement of the payment system's objectives? P.2.4.3: Does the board of directors include non-executive or independent board members? If so, how many? P.2.4.4: If the board includes independent board members, how does the payment system define an independent board member? Does the payment system disclose which board member(s) it considers independent?

Key Consideration 5 The roles and responsibilities of management should be clearly defined. The payment system's management should have the appropriate experience, mix of skills, and integrity necessary to perform its responsibilities for the operation and risk management of the payment system.

Roles and responsibilities of management P.2.5.1: What are the roles and responsibilities of management and are they clearly stated? P.2.5.2: How are management roles and objectives set and evaluated?

Experience, skills, and integrity P.2.5.3: To what extent does the payment system's management have the appropriate experience, mix of skills, and integrity necessary for the operation and risk management of the payment system? How does the payment system ensure that this is the case? P.2.5.4: What is the process for removing management if necessary?

Key Consideration 6 The board should establish a clear, documented risk management framework that includes the payment system's risk tolerance policy, assigns responsibility for risk decisions, and addresses decision-making in crises and emergencies. Governance arrangements should ensure that risk management and internal control functions have sufficient authority, independence, resources, and access to the board.

Risk management framework P.2.6.1: What is the risk management framework established by the board of directors? How is this documented? P.2.6.2: How does this framework address the payment system's risk tolerance policy, assign responsibilities for risk decisions (such as risk exposure limits), and address decision-making in crises and emergencies? P.2.6.3: What is the process for determining, approving, and reviewing the risk management framework?

Authority and independence of risk management and audit functions P.2.6.4: What are the roles, responsibilities, authorities, lines of reporting, and resources of the risk management and audit functions? P.2.6.5: How does the board of directors ensure adequate management in terms of the adoption and use of risk management models? How are these models and related methodologies validated?

Key Consideration 7 The board should ensure that the payment system's concept, rules, overall strategy, and significant decisions adequately reflect the legitimate interests of direct and indirect participants and other relevant stakeholders. Significant decisions should be clearly published to relevant stakeholders and, where there is significant market impact, to the public.

Identification and consideration of stakeholder interests P.2.7.1: How does the payment system identify and take into account the interests of payment system participants and other relevant stakeholders in its decision-making regarding its concept, rules, overall strategy, and major decisions? P.2.7.2: How does the board of directors consider the views of direct and indirect participants and other relevant stakeholders on these decisions; for example, are participants involved in the risk management committee, in user committees such as the management of failed obligations group, or through public consultations? How are conflicts of interest between stakeholders and the payment system identified and how are they resolved?

Publication P.2.7.3: To what extent does the payment system publish significant decisions made by the board of directors to relevant stakeholders and, where appropriate, to the public?

Principle 3. Comprehensive Risk Management Framework A payment system should have a robust framework for risk management for the comprehensive management of legal, credit, liquidity, operational, and other risks.

Key Consideration 1 A payment system should have risk management policies, procedures, and systems that enable the identification, measurement, monitoring, and management of a range of risks arising from or faced by the payment system. Risk management frameworks should be subject to periodic review.

Risks arising from or faced by the payment system P.3.1.1: What types of risks arise from or are faced by the payment system?

Risk management policies, procedures, and systems P.3.1.2: What are the payment system's policies, procedures, and controls that help in identifying, measuring, monitoring, and managing risks arising from or faced by the payment system? P.3.1.3: What risk management systems does the payment system use to help in identifying, measuring, monitoring, and managing its risks? P.3.1.4: How do these systems ensure the capacity to aggregate the payment system's exposures, and where appropriate, other relevant parties, such as payment system participants and their clients?

Review of risk management policies, procedures, and systems P.3.1.5: What is the process for the development, approval, and maintenance of risk management policies, procedures, and systems? P.3.1.6: How does the payment system assess the effectiveness of its risk management policies, procedures, and systems? P.3.1.7: How often does the payment system review and update its risk management policies, procedures, and systems? How do these revisions take into account changes in risk intensity, the changing environment, and market practices?

Key Consideration 2 A payment system should provide incentives for participants and, if relevant, their clients to manage and control the risks they pose to the payment system.

P.3.2.1: What information does the payment system provide to its participants and, where relevant, their clients to enable them to manage and control the risks they pose to the payment system? P.3.2.2: What incentives does the payment system provide to participants and, where relevant, their clients for monitoring and managing the risks they pose to the payment system? P.3.2.3: How does the payment system design its policies and systems to be effective in enabling its participants and, where relevant, their clients to manage and control their risks?

Key Consideration 3 A payment system should regularly review significant material risks it bears from other entities or poses to other entities (such as other payment system(s), settlement banks, liquidity providers, and service providers), as a result of interdependence, and develop appropriate risk management instruments to address these risks.

Significant material risks P.3.3.1: How does the payment system identify significant material risks arising from other entities and risks to which the payment system exposes other entities as a result of interdependence? What significant material risks has the payment system identified? P.3.3.2: How are these risks measured and monitored? How often does the payment system review these risks?

Risk management instruments P.3.3.3: What risk management tools does the payment system use to address risks arising from interdependence with other entities? P.3.3.4: How does the payment system assess the effectiveness of these risk management tools? How does the payment system review the risk management tools it uses to address these risks? How often is this review conducted?

Key Consideration 4 A payment system should identify scenarios that could potentially prevent the ability to perform key operations and services as a current issue of concern and assess the effectiveness of a full range of recovery or orderly wind-down options. A payment system should prepare appropriate recovery or orderly wind-down plans based on the results of that assessment. If applicable, the payment system should also provide relevant competent authorities with information necessary for wind-down planning.

Scenarios that could prevent the payment system from performing key operations and services P.3.4.1: How does the payment system identify scenarios that could potentially prevent the payment system from providing its key operations and services? What scenarios have been identified as a result of these processes? P.3.4.2: How do these scenarios take into account both independent and correlated risks to which the payment system is exposed?

Recovery and orderly wind-down P.3.4.3: What plans does the payment system have for its recovery or orderly wind-down? P.3.4.4: How do the payment system's key strategies for recovery or orderly wind-down enable the payment system to continue providing key operations and services? P.3.4.5: How are the payment system's recovery and orderly wind-down plans reviewed and updated? How often are the plans reviewed and updated?

Principle 4. Credit Risk A payment system should efficiently measure, monitor, and manage its credit exposure to participants, as well as exposures arising from payment, clearing, and settlement processes. A payment system should maintain sufficient financial resources to cover its credit exposure to each participant in full with a high degree of confidence.

Key Consideration 1 A payment system should establish a robust framework for managing credit exposure to its participants and credit risks arising from its payment, clearing, and settlement processes. Credit exposure may arise from current exposure, potential future exposure, or both.

P.4.1.1: What is the payment system's framework for managing credit exposures (including current and potential future exposure to its participants, arising from its payment, clearing, and settlement processes)? P.4.1.2: How often is the framework revised to reflect the changing environment, market practices, and new products?

Key Consideration 2 A payment system should identify sources of credit risk, regularly measure and monitor credit exposure, and control these risks using appropriate risk management tools.

P.4.2.1: How does the payment system identify sources of credit risk? What are the sources of credit risk identified by the payment system? P.4.2.2: How does the payment system measure and monitor credit exposure? How often is it recalculated, and how often could the payment system recalculate these exposures? How timely are the information? P.4.2.3: What tools does the payment system use to control identified sources of credit risk (e.g., CPPI or settlement mechanism based on delivery versus payment (DvP) principle (engl. s...